[libxml2] Check XPath stack after calling functions

From: Nick Wellnhofer <nwellnhof src gnome org>
To: commits-list gnome org
Cc:
Subject: [libxml2] Check XPath stack after calling functions
Date: Fri, 29 Mar 2019 12:10:57 +0000 (UTC)

commit 236dd6ab2e6129ece366117070c7c014500a00c1
Author: Nick Wellnhofer <wellnhofer aevum de>
Date:   Wed Mar 13 18:21:02 2019 +0100

    Check XPath stack after calling functions
    
    Check that there's exactly one return value on the stack after calling
    XPath functions. Otherwise, functions that corrupt the stack without
    signaling an error could lead to memory errors.
    
    Found with libFuzzer and UBSan.

 xpath.c | 3 +++
 1 file changed, 3 insertions(+)
---
diff --git a/xpath.c b/xpath.c
index 72c63382..facd6419 100644
--- a/xpath.c
+++ b/xpath.c
@@ -13431,6 +13431,9 @@ xmlXPathCompOpEval(xmlXPathParserContextPtr ctxt, xmlXPathStepOpPtr op)
                 func(ctxt, op->value);
                 ctxt->context->function = oldFunc;
                 ctxt->context->functionURI = oldFuncURI;
+                if ((ctxt->error == XPATH_EXPRESSION_OK) &&
+                    (ctxt->valueNr != ctxt->valueFrame + 1))
+                    XP_ERROR0(XPATH_STACK_ERROR);
                 xmlXPathPopFrame(ctxt, frame);
                 return (total);
             }

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]